diff options
Diffstat (limited to 'meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch')
-rw-r--r-- | meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch new file mode 100644 index 0000000000..3925a4abbb --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch | |||
@@ -0,0 +1,49 @@ | |||
1 | From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Filipe Brandenburger <filbranden@google.com> | ||
3 | Date: Thu, 10 Jan 2019 14:53:33 -0800 | ||
4 | Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866 | ||
5 | |||
6 | The original code didn't account for the fact that strchr() would match on the | ||
7 | '\0' character, making it read past the end of the buffer if no non-whitespace | ||
8 | character was present. | ||
9 | |||
10 | This bug was introduced in commit ec5ff4445cca6a which was first released in | ||
11 | systemd v221 and later fixed in commit 8595102d3ddde6 which was released in | ||
12 | v240, so versions in the range [v221, v240) are affected. | ||
13 | |||
14 | Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b | ||
15 | also includes a change from systemd master which removes a heap buffer overflow | ||
16 | a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. | ||
17 | |||
18 | CVE: CVE-2018-16866 | ||
19 | Upstream-Status: Backport | ||
20 | Signed-off-by: Marcus Cooper <marcusc@axis.com> | ||
21 | --- | ||
22 | src/journal/journald-syslog.c | 4 ++-- | ||
23 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
24 | |||
25 | diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c | ||
26 | index 9dea116722..809b318c06 100644 | ||
27 | --- a/src/journal/journald-syslog.c | ||
28 | +++ b/src/journal/journald-syslog.c | ||
29 | @@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) | ||
30 | e = l; | ||
31 | l--; | ||
32 | |||
33 | - if (p[l-1] == ']') { | ||
34 | + if (l > 0 && p[l-1] == ']') { | ||
35 | size_t k = l-1; | ||
36 | |||
37 | for (;;) { | ||
38 | @@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) | ||
39 | if (t) | ||
40 | *identifier = t; | ||
41 | |||
42 | - if (strchr(WHITESPACE, p[e])) | ||
43 | + if (p[e] != '\0' && strchr(WHITESPACE, p[e])) | ||
44 | e++; | ||
45 | *buf = p + e; | ||
46 | return e; | ||
47 | -- | ||
48 | 2.11.0 | ||
49 | |||